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C-O Diagrams have been introduced as a means to have a more visual representation of electronic 
contracts, where it is possible to represent the obligations, permissions and prohibitions of the dif- 
ferent signatories, as well as what are the penalties in case of not fulfillment of their obligations and 
prohibitions. In such diagrams we are also able to represent absolute and relative timing constraints. 
In this paper we present a formal semantics for C-O Diagrams based on timed automata extended 
with an ordering of states and edges in order to represent different deontic modalities. 

1 Introduction 

In the software context, the term contract has traditionally been used as a metaphor to represent limited 
kinds of "agreements" between software elements at different levels of abstraction. The first use of 
the term in connection with software programming and design was done by Meyer in the context of 
the language Eiffel (programming-by-contracts, or design-by-contract) iflOl . This notion of contracts 
basically relies on the Hoare's notion of pre and post-conditions and invariants. Though this paradigm 
has proved to be useful for developing object oriented systems, it seems to have shortcomings for novel 
development paradigms such as service-oriented computing and component-based development. These 
new applications have a more involved interaction and therefore require a more sophisticated notion of 
contracts. 

As a response, behavioural interfaces have been proposed to capture richer properties than simple 
pre and post-conditions [5]. Here it is possible to express contracts on the history of events, including 
causality properties. However, the approach is limited when it comes to contracts containing exceptional 
behaviour, since the focus is mainly on the interaction concerning expected (and prohibited) behaviour. 

In the context of SOA, there are different service contract specification languages, like ebXML H, 
WSLA lfl4l . and WS-Agreement |[T3l . These standards and specification languages suffer from one or 
more of the following problems: They are restricted to bilateral contracts, lack formal semantics (so 
it is difficult to reason about them), their treatment of functional behaviour is rather limited and the 
sub-languages used to specify, for instance, security constraints are usually limited to small application- 
specific domains. The lack of suitable languages for contracts in the context of SOA is a clear conclusion 
of the survey [11] where a taxonomy is presented. 
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Figure 2: AND/OR/SEQ refinements and repetition in C-0 Diagrams 

More recently, some researchers have investigated how to adapt deontic logic [9] to define (con- 
sistent) contracts targeted to software systems where the focus is on the normative notions of obliga- 
tion, permission and prohibition, including sometimes exceptional cases (e.g., |[T2l ). Independently of 
the application domain, there still is need to better fill the gap between a contract understood by non- 
experts in formal methods (for its use), its logical representation (for reasoning), and its internal machine- 
representation (for runtime monitoring, and to be manipulated by programmers). We see two possible 
ways to bridge this gap: i) to develop suitable techniques to get a good translation from contracts writ- 
ten in natural language into formal languages, and ii) to provide a graphical representation (and tools) 
to manipulate contracts at a high level, with formal semantics supporting automatic translation into the 
formal language. We take in this paper the second approach. 

In |H1 we have introduced C-0 Diagrams, a graphical representation for contracts allowing the rep- 
resentation of complex clauses describing the obligations, permissions, and prohibitions of different 
signatories (as defined in deontic logic (9j), as well as reparations describing contractual clauses in case 
of not fulfillment of obligations and prohibitions. Besides, C-0 Diagrams permit to define real-time 
constraints. In some of the satisfaction rules needed to check if a timed automaton satisfies a C-0 
Diagram specification were defined. These rules were originally miscalled "formal semantics". The goal 
of this paper is to further develop our previous work, in particular we present here a formal semantics for 
C-0 Diagrams based on timed automata, extended with an ordering of states and edges. 

The rest of the work is structured as follows: Section |2] presents C-0 Diagrams and their syntax, 
Section[3]develops the formal semantics of C-0 Diagrams, including its implementation in UPPAAL @ 
and a small example. The work is concluded in Section [4] 



2 C-O Diagrams Description and Syntax 

In Fig. Q] we show the basic element of C-0 Diagrams. It is called a box and it is divided into four 
fields. On the left-hand side of the box we specify the conditions and restrictions. The guard g specifies 
the conditions under which the contract clause must be taken into account (boolean expression). The 
time restriction tr specifies the time frame during which the contract clause must be satisfied (deadlines, 
timeouts, etc.). The propositional content P, on the center, is the main field of the box, and it is used 
to specify normative aspects (obligations, permissions and prohibitions) that are applied over actions, 
and/or the specification of the actions themselves. The last field of these boxes, on the right-hand side, 
is the reparation R. This reparation, if specified by the contract clause, is a reference to another contract 
that must be satisfied in case the main norm is not satisfied (a prohibition is violated or an obligation 
is not fulfilled, there is no reparation for permission), considering the clause eventually satisfied if this 
reparation is satisfied. Each box has also a name and an agent. The name is useful both to describe the 
clause and to reference the box from other clauses, so it must be unique. The agent indicates who is the 
performer of the action. 
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Figure 3: Compound actions in C-0 Diagrams 
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Figure 4: Composition of norms in C-0 Diagrams 

These basic elements of C-0 Diagrams can be refined by using AND/OR/SEQ refinements, as shown 
in Fig. [2] The aim of these refinements is to capture the hierarchical clause structure followed by most 
contracts. An AND-refinement means that all the subclauses must be satisfied in order to satisfied 
the parent clause. An OR-refinement means that it is only necessary to satisfy one of the subclauses 
in order to satisfy the parent clause, so as soon as one of its subclauses is fulfilled, we conclude that 
the parent clause is fulfilled as well. A SEQ-refinement means that the norm specified in the target box 
{Subclause! in Fig. [2]) must be fulfilled after satisfying the norm specified in the source box (Subclause 1 
in Fig. |2l). By using these structures we can build a hierarchical tree with the clauses defined by a contract, 
where the leaf clauses correspond to the atomic clauses, that is, to the clauses that cannot be divided into 
subclauses. There is another structure that can be used to model repetition. This structure is represented 
as an arrow going from a subclause to one of its ancestor clauses (or to itself), meaning the repetitive 
application of all the subclauses of the target clause after satisfying the source subclause. For example, 
in the right-hand side of Fig. |2l we have an OR-refinement with an arrow going from SubClausel 
to Clause. It means that after satisfying SubClausel we apply Clause again, but not after satisfying 
SubClausel. 

It is only considered the specification of atomic actions in the P field of the leaf boxes of our dia- 
grams. The composition of actions can be achieved by means of the different kinds of refinement. In this 
way, an AND-refinement can be used to model concurrency "&" between actions, an OR-refinement can 
be used to model a choice "+" between actions, and a SEQ-refinement can be used to model sequence 
";" of actions. In Fig. [3] we can see an example about how to model these compound actions through 
refinements, given two atomic actions a and b. 

The deontic norms (obligations, permissions and prohibitions) that are applied over these actions 
can be specified in any box of our C-0 Diagrams, affecting all the actions in the leaf boxes that are 
descendants of this box. If it is the case that the box where we specify the deontic norm is a leaf, the 
norm only affects the atomic action we have in this box. It is used an upper case "0" to denote an 
obligation, an upper case "P" to denote a permission, and an upper case "F" to denote a prohibition 
(forbidden). These letters are written in the top left corner of field P. 

The composition of deontic norms is also achieved by means of the different refinements we have 
in C-0 Diagrams. Thus, an AND-refinement corresponds to the conjunction operator "A" between 
norms, an OR-refinement corresponds to the choice operator "+" between norms, and a SEQ-refinement 
corresponds to the sequence operator ";" between norms. For example, we can imagine having a leaf 
box specifying the obligation of performing an action a, written as 0(a), and another leaf box specifying 
the obligation of performing an action b, written as 0(b). These two norms can be combined in the 
three different ways mentioned before through the different kinds of refinement (Fig. HJ). However, the 
specification of deontic norms in our diagrams must fulfill the following rule: exactly one deontic norm 
must be specified in each one of the branches of our hierarchical tree, i.e., we cannot have an action 
without a deontic norm applied over it and we cannot have deontic norms applied over other deontic 
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norms. We have also that agents are only specified in the boxes where a deontic norm is defined, being 
each agent associated to a concrete deontic norm. Finally, the repetition of both, actions and deontic 
norms, can be achieved by means of the repetition structure we have in C-0 Diagrams. 

We have given here an abridged description of C-0 Diagrams. A more detail description can be 
found in [8], including a qualitative and quantitative evaluation, and a discussion on related work. 



Definition 1 (C-0 Diagrams Syntax) We consider a finite set of real-valued variables standing for 
clocks, a finite set of non-negative integer-valued variables ~f ', a finite alphabet E for atomic actions, a 
finite set of identifiers stf for agents, and another finite set of identifiers JV for names. The greek letter £ 
means that and expression is not given, i.e., it is empty. 

We use C to denote the contract modelled by a C-0 Diagram. The diagram is defined by the following 
EBNF grammar: 



C := (agent, name, g,tr,0(C2),R)\ 
(agent, name, g,tr,P(C2),£) | 
(agent, name, g, t r, F (C2),/?) | 
(e,name,g,tr,C\,e) 
d := C(AndC)+\C(OrC) + \C(SeqC) + 
C 2 := a\C 3 (AndC 3 ) + \C 3 (OrC 3 ) + \C 3 (SeqC 3 ) 
C 3 := (e,name,£,£,C2,£) 
R := C\e 



where a£E, agent € si and name £ JY . Guard g is £ or a conjunctive formula of atomic constraints of 
the form: v^norv — w^n, for v,w € ~€ {<,<,=,>,>} and n £ IN, whereas timed restriction 
tr is £ or a conjunctive formula of atomic constraints of the form: x ~ n or x—y ~ n, for x, y € c £, 
~€ {<,<,=,>,>} and n € IN. O, P and F are the deontic operators corresponding to obligation, 
permission and prohibition, respectively, where 0(C2) states the obligation of performing C2, F(C 2 ) 
states prohibition of performing C2, and PiCz) states the permission of performing C2. And, Or and 
Seq are the operators corresponding to the refinements we have in C-0 Diagrams, AND -refinement, 
OR-refinement and SEQ-refinement, respectively. 



The simplest contract we can have in C-0 Diagrams is that composed of only one box including 
the elements agent and name. Optionally, we can specify a guard g and a time restriction tr. We also 
have a deontic operator (O, P or F) applied over an atomic action a, and in the case of obligations and 
prohibitions it is possible to specify another contract C as a reparation. 

We use Ci to define a more complex contract where we combine different deontic norms by means 
of any of the different refinements we have in C-0 Diagrams. In the box where we have the refinement 
into C\ we cannot specify an agent nor a reparation because these elements are always related to a single 
deontic norm, but we still can specify a guard g and a time restriction tr that affect all the deontic norms 
we combine. 

Once we write a deontic operator in a box of our diagram, we have two possibilities as we can see in 
the specification of C2'. we can just write a simple action a in the box, being the deontic operator applied 
only over it, or we can refine this box in order to apply the deontic operator over a compound action. 
In this case we have that the subboxes (C 3 ) cannot define a new deontic operator as it has already been 
defined in the parent box (affecting all the subboxes). 
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3 C-0 Diagrams Semantics 

The C-0 Diagrams semantics is defined by means of a transformation into a. Network of Timed Automata 
(NTA), that is defined as a set of timed automata CD that run simultaneously, using the same set of 
clocks and variables, and synchronizing on the common actions. 

In what follows we consider a finite set of real- valued variables ^ ranged over by x,y, . . . standing 
for clocks, a finite set of non-negative integer- valued variables "¥ , ranged over by v,w, .. . and a finite 
alphabet £ ranged over by a,b,... standing for actions. We will use letters r, to denote sets of 
clocks. We will denote by Assigns the set of possible assignments, Assigns = {v := expr \ v G Y}, where 
expr are arithmetic expressions using naturals and variables. Letters s,s' ... will be used to represent a 
set of assignments. 

A guard or invariant condition is a conjunctive formula of atomic constraints of the form: x ~ n, 
x — y ~ n, v ~ n or v — w ~ n, for x,y G ^ , v,w G Y, ~G {<,<,=,>,>} and n G IN. The set of guard 
or invariant conditions will be denoted by 5f , ranged over by g,g', . . .. 

Definition 2 (Timed Automaton) 

A timed automaton is a tuple (N,no,E,I), where N is a finite set of locations (nodes), no €N is the initial 
location, E C N x& x £ x £P (Assigns) x 2^ x N is the set of edges, where the subset of urgent edges is 
called E u C E, and they will graphically be distinguished as they will have their arrowhead painted in 
white. I : N —> is a function that assigns invariant conditions (which could be empty) to locations. 

From now on, we will write n ^4 n' to denote (n,g,a,s,r,n r ) G E, and n — '-4- u n' when 

(n,g,a,s,r,n') G E u . 

In an NTA we distinguish two types of actions: internal and synchronization actions. Internal actions 
can be executed by the corresponding automata independently, and they will be ranged over the letters 

a,b Synchronization actions, however, must be executed simultaneously by two automata, and they 

will be ranged over letters m,m' , . . . and come from the synchronization of two actions ml and ml, exe- 
cuted from two different automata. Due to the lack of space, we refer the reader to for the definition 
of the semantics of timed automaton and NTA. 

To specify the C-0 Diagrams semantics, we add the definition of two orderings, -<n and where: 

• -<n is a (strict, partial) ordering on N where n n' means that node n is better than node 

• -<£ is a (strict, partial) ordering on E where e e' means that edge e is better than edge e' . 

We also add a violation set V(n) associated to each node n in N, that is the set of contractual obliga- 
tions and prohibitions that are violated in n. 

Definition 3 (Violation Set) Let us consider the set of contractual obligations and prohibitions CN 
ranged over cn, cn',. . . standing for identifiers of obligations and prohibitions. We write n\^= cn to 
express that obligation or prohibition cn is violated in node n. Therefore, the violation set is defined as 
V(n) = {cn | cn G CN and n Y= cn}. 

Another set called satisfaction set S(n) is also associated to each node n'mN. This set is composed 
by the contractual obligations and prohibitions that have already been satisfied in n. 

Definition 4 (Satisfaction Set) Let us consider the set of contractual obligations and prohibitions COF 
ranged over cof, cof ',. . . standing for identifiers of obligations and prohibitions. We write n \= cof to 
express that obligation or prohibition cof has been satisfied in node n(we consider a prohibition satisfied 
in node n if it has not been violated and cannot be violated anymore because the time frame specified 
for the prohibition has expired). Hence, the satisfaction set is defined as S(n) = {cof \ cof G COF and 
n (= cof}. 
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Once these two sets have been defined, we can formally define the ordering on nodes by 
comparing the violation sets and the satisfaction sets of the nodes, and the ordering on edges -<e, by 
comparing the violation sets and the satisfaction sets of the target nodes of the edges. 

Definition 5 (Ordering on Nodes) A node n\ is better than another node n 2 if the violation set of n\ is 
a proper subset of the violation set of n 2 or, if the violation sets are the same, a node n\ is better than 
another node n 2 if the satisfaction set of n\ is a proper superset of the satisfaction set of n 2 , that is, 
n\ <n n 2 iff '(V (ni) CV(n 2 ))or (V(ni) = V(n 2 ) and S(ni) D S{n 2 )). 

Definition 6 (Ordering on Edges) An edge e\ is better than another edge e 2 if the source node is the 
same in both cases but the violation set of the target node of e\ is a proper subset of the violation set of 
the target node of e 2 or, if the violation sets are the same, an edge e\ is better than another edge e 2 if 
the satisfaction set of the target node of e\ is a proper superset of the satisfaction set of the target node 
of e 2 . Considering e\ = {n\,gi,a\,s\,r\,n\) and e 2 = (n 2 ,g 2 ,a 2 ,s 2 ,r 2 ,n 2 '), e\ < E e 2 iff {n\ =n 2 ) and 
(VK) C V(n 2 ') or (V(m') = V(n 2 ') and S(m') D S{n 2 '))). 

Finally, another set called permission set P(n) is associated to each node n in N. This set influences 
neither the ordering on nodes nor the ordering on edges, it is used just to record the permissions in the 
contract that have been made effective. 

Definition 7 (Permission Set) Let us consider the set of contractual permissions CP ranged over cp, 
cp',. . . standing for identifiers of permissions. We write n\=cp to express that permission cp has already 
been made effective in node n. Then, the permission set is defined as P(n) = {cp \ cp € CP and n \= cp}. 

Graphically, when we draw a timed automaton extended with these three sets, we write under each 
node n between braces its violation set V(n) on the left, its satisfaction set S(n) on the centre and its 
permission set P(n) on the right. In the initial node of the automata we build corresponding to C-0 
Diagrams these three sets are empty. By default, a node keeps in these sets the same content of the 
previous node when we compose the automata. Only in a few cases the content of these sets is modified 
(when an obligation or a prohibition is violated, an obligation or a prohibition is satisfied or a permission 
is made effective). 

Concerning the real-time restrictions tr specified in the contract, the two types of time restrictions 
we can have in C-0 Diagrams must be translated in a different way for their inclusion into a timed 
automaton construction: 

• A time restriction specified using absolute time must be specified in timed automata by rewriting 
the terms in which absolute time references occur. For that purpose we define a global clock T G ^ 
that is never reset during the execution of the automata and, taking into account the moment at 
which the contract is enacted, we rewrite the absolute time references as deadlines involving clock 
T and considering the smallest time unit needed in the contract. For example, let us consider a 
clause that must be satisfied between the 5th of November and the 10th of November, and that 
the contract containing this clause is enacted the 31st of October. If we suppose that days is 
the smallest time unit used in the contract for the specification of real-time restrictions, the time 
restriction of this clause is written as (T > 5)and(T < 10). 

• A time restriction specified using relative time must be specified in timed automata by introducing 
an additional clock to register the amount of time that has elapsed since another clause has been 
satisfied, resetting the additional clock value when this happens and specifying the deadline using 
it. We call this clock t name , where name is the clause used as reference for the specification of the 
time restriction. Therefore, we define a set of additional clocks C a dd = {tname I W G < rf} including 
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Figure 5: Automata corresponding to a simple action a and to compound actions 

a clock for every clause that is used as reference in the time restriction of at least another clause. 
For example, let us consider a contract with a clause that must be satisfied between 5 and 10 days 
after another clause namel has been satisfied. In this case we define an additional clock t mme \ that 
is reset to zero when clause namel is satisfied (t name \ := 0) and the time restriction of the other 
clause is written as (t mme \ > 5)and(t name i < 10). 
As a result, the set of clocks of the timed automata would be <?f = {T} UC a ^. When we construct the 
timed automata corresponding to C-0 Diagrams, we always consider (x > t\)and (x < tl) as the interval 
corresponding to the time restriction tr of the clause, where x G ^ is the clock used for its specification 
(x = T in the case of absolute time and x = t name in the case of relative time, being name the clause used 
as reference), tl G IN is the beginning of the interval and tl G IN is the end of the interval (tl < tl). If tr 
does not define the lower bound of the interval we take tl = 0, if tr does not define the upper bound of 
the interval we take tl = oo, and if tr = e we take tl = 0, tl = oo and x = T . 

Once we have given these extensions of the definition of timed automata and we have explained how 
the different kinds of time restriction can be expressed, considering all the different elements we can 
specify in a C-0 Diagram, we can define the transformation of the diagrams into timed automata by 
induction using several transformation rules. 

Definition 8 ( C-0 Diagrams Transformation Rules: Part I) 

(1) An atomic action in a C-0 Diagram, that is, (£,name,£,£,a, e) corresponds to the timed automa- 
ton A = (Na ,no A ,EA,lA)< where: 

• Na = {aini tl a en d}. 

• n o A = a-mit- 

• Ea = Winit > a en d]. 

• I A = 0- 

The violation (V), satisfaction (S) and permission (P) sets are not modified, so V(aj n i t ) = V(a en d), 
S(ai n i t ) = S(a m( j) and P(ai n j t ) = P{a em f). This timed automaton can he seen in Fig. 13(A). 

(2) A compound action in a C-0 Diagram where an AND-refinement is used to compose actions, 
that is, (£,name,£,£,CiAndC2And . . . AndC n ,£) corresponds to the cartesian product of the au- 
tomata corresponding to each one of the subcontracts. Let us consider A,B,...,Z the automata 
corresponding to the subcontracts C\ , C%, . . . , C n ( the actions specified in these subcontracts can 
be atomic actions or other compound actions). The resulting automaton AND corresponds to the 
cartesian product of these automata, that is, AND = A x B x . . . x Z. Again, the violation (V), 
satisfaction (S) and permission (P) sets are not modified, so they are the same in all the nodes. 
This composition of timed automata is shown graphically in Fig. \5\(B). 
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(3) A compound action in a C-0 Diagram where an OR-refinement is used to compose actions, that 
is, (s,name,£,£,Ci OrC20r . . . OrC n ,s) corresponds to a new automaton in which the automata 
corresponding to each one of the subcontracts is considered as an alternative. Let us consider 
A,B,...,Z the automata corresponding to the subcontracts C\,C2, ■ ■ ■ ,C n (the actions specified 
in these subcontracts can be atomic actions or other compound actions). The resulting automa- 
ton OR preserves the structure of the automata we are composing but adding a new initial node 
ORi n jt an d connecting this node by means of urgent edges performing no action to the initial nodes 
of A,B, . . . ,Z (Ai n i t ,B in j t , . . . ,Z init ). It is also added a new ending node OR en d and urgent edges 
performing no action from the ending nodes ofA,B, . . . ,Z (A en j,B enc t,. . . ,Z enc i) to this new end- 
ing node. Let A = (N A ,n 0A ,E A ,I A ),B = (N^,n 0E ,E B ,I B ), . . . ,Z = (N z ,n Qz ,E z ,Iz)- The resulting 
automaton is therefore OR = (NoR,no OR ,EoR,IoR)> where: 

• N R = N A UN B U . . . UN Z U {0R inU , 0R end }. 

• n QoR = ORinit. 

• Eor = E A UE B U .. .UEzLS {ORinit — >u Ai n i,,ORi n i t — > u Bm,, . . . ,ORi„j t — > u Z^jU 

\Aend ORendiBend OR en d > • • • j Z em j y u OR eni l}- 

• / r=/ a U/ b U...U/ z . 

The violation (V), satisfaction (S) and permission (P) sets are not modified, so they are the same 
in all the nodes. This composition of timed automata is shown graphically in Fig. \5\(C). 

(4) A compound action in a C-0 Diagram where a SEQ-refinement is used to compose actions, 
that is, (e,name,e,£,CiSeqC2Seq . . .SeqC n ,e) corresponds to a new automaton in which the 
automata corresponding to each one of the subcontracts are connected in sequence. Let us 
consider A, B,. .. ,Z the automata corresponding to the subcontracts C\,C2, ■ ■ ■ ,C n (the actions 
specified in these subcontracts can be atomic actions or other compound actions). The result- 
ing automaton SEQ preserves the structure of the automata we are composing, adding no extra 
nodes. We only connect with an urgent edge performing no action the ending node of each au- 
tomaton in the sequence (A en( j,B en d, ■ ■ ■ ,Y en d) with the initial node of the next automaton in the 
sequence (Bi„i t ,Ci n i t , . . . ,Zi n i t ). This rule is not applied in the cases of Ai n n (as there is not pre- 
vious ending node to connect) and Z en d (as there is not following initial node to connect). Let 
A = (N A ,no A ,E A ,I A ),£$ = (N B ,no B ,E B ,I B ), . . . ,Z = (Nz,no z ,Ez,Iz)- The resulting automaton is 
therefore SEQ = (N S EQ,no SEQ) E SE Q,I SEQ ), where: 

• N SE Q=N A UN B U...UN Z . 

• n SE Q = Ainit- 

• EsEQ = E A U E B U . . . U Ez U {A en d > u Binit,B en d Y u Q n it , . . . ,Y en d y u Zi n i t }. 

• I S eq = Ia^Ib 1 J...UI z . 

Again, the violation (V), satisfaction (S) and permission (P) sets are not modified, so they are the 
same in all the nodes. This composition of timed automata is shown graphically in Fig. \5\(D). 

Until now, we have seen how the automata corresponding to the different actions (atomic or com- 
pound) specified in a C-0 Diagram are constructed and we have seen that these translations do not modify 
the content of any of the sets (violation, satisfaction or permission). Next, we define the transformation 
rules specifying how these "action" automata are modified when we apply a deontic norm (obligation, 
permission or prohibition) over the actions in the C-0 Diagram. 

Definition 7 ( C-0 Diagrams Transformation Rules: Part II) 
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(5) The application of an obligation, a permission or a prohibition over an action in a C-0 Di- 
agram, i.e., (agent, name, g,tr,0/P/F(C),R) corresponds to an automaton where the obliga- 
tion/prohibition of performing the action specified in the subcontract C can be skipped, fulfilled or 
violated, whereas the permission of performing the action can be skipped, made effective or not 
made effective. Let us consider A = (N A ,no A ,E A ,I A ) the automaton corresponding to C, being A,- ni - ? 
the initial node and A en( ] the ending node. The resulting automaton D(A), where D G {0,P,F}, 
preserves the structure of the automaton A but adding a new ending node A,i me including the obli- 
gation over the action in its violation set, the prohibition over the action in its satisfaction set or 
nothing if a permission over the action is considered. If guard condition g ^ s, we add another 
ending node A s kip where the violation, satisfaction and permission sets are not modified. We also 
include the obligation over the action in the satisfaction set of A en d, the prohibition over the action 
in the violation set of A en d, or the permission over the action in the permission set of A em i. An 
invariant x <t2+ 1 is added to each node of A except A en< i and each edge performing one of the 
actions in this automaton is guarded with (x > t\)and(x < t2) and action performed by agent. 
New edges guarded with x = t2+\ and no action performed are added from each node of A except 
A em i to the new node A t i, ne and, if guard condition g ^ s, an urgent edge from Aj n # to A s ki p is also 
added guarded with the guard condition of the clause negated (~<g). Finally, if t name G c €, all the 
edges reaching A eni i reset t name in the cases of obligation and permission, whereas all the edges 
reaching A t i me reset t nam e in the case of prohibition. Considering the more complex case, where 
and tname £ ^ > an d having that g\=(x> 1 1 ) and (x < t2) and g2=x = t2+\, the resulting 
automaton is therefore D (A) = (N D ^,no D{A) ,E D ^,I D ^), where: 

• Nz>(A) =N A Li {Atime, A sUp }. 



n 



'D(A) 



{A h 



W( A s kip} U < 



gi,agent(a) ., 

> n 



g[,agent(a),t, 



name t \ 

> n 



82 . 



Atime \n£N A - 

g\.agent{a) 



->n \n 



gt, agent (d),t m 



-+n \n 



Anne \neN A - 
gi,agent(a) 



->n \n 



g2,t„, 



L D(A) 



-> Anne \neN A 
I A U{I(n) = X <t2 + l\neN A -{A end }}. 



n' G E A and n' ^ A em i, 
n' G E A and n' = A enc i, 

{A end } i£D = 

n' G E A and n' ^ A eni i, 
n' G E A and n' = A en d, 

{Aend} if D = P 

n' G E A , 

-{Aend} if D = F 



The resulting timed automata are shown graphically in Fig.® where (A) corresponds to obligation, 
(B) corresponds to permission and(C) corresponds to prohibition. We consider a one of the atomic 
actions included in the subcontract C. 



We can see that the above constructions can include a reparation contract R in the cases of obligation 
and prohibition. If this reparation is defined, we have to construct the automaton corresponding to the 
reparation contract and integrate this automaton as part of the automaton we have generated for the 
obligation or prohibition. This reparation contract removes the obliged or prohibited clause name from 
the violation set of the corresponding automaton, as we can see in Fig.[6](D). 



Definition 7 ( C-0 Diagrams Transformation Rules: Part III) 
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(V){S){P) |V,name)(S)(P) {V){S){P] (V){S}{P) 



(A) (B) 

x<=t2+l 




(V}{S){P) (V||S,namc){P) 



(C) 

Figure 6: Automata corresponding to deontic norms and automaton corresponding to a reparation 

(6) An obligation or prohibition in a C-0 Diagram specifying a contract reparation R ^ e corre- 
sponds to the obligation automaton 0(A) or the prohibition automaton F(A) together with the 
reparation automaton R, considering the node with name in its violation (A v j ) set as the ini- 
tial node of the reparation automaton (Rinit)- In the ending node of the reparation automa- 
ton (R en d) name is removed from the violation set, as the violation has been repaired. In this 
node we also have that the satisfaction set and the permission set are different from the ones we 
have in the initial node of the reparation because we have to include in the satisfaction set all 
the obligations and prohibitions satisfied in the reparation contract, and in the permission set 
all the permissions that have been made effective in the reparation contract. Let us consider 
D(A) = (N D ^,n QD{AV E D (A),lD(A))> where D £ {0,F}, and R = (N R ,n ()R ,E R ,I R ). The resulting 
automaton is therefore D(A) R = (N D (^) R ,nQ D(A)R ,E D( ^ )R ,I D ^ R ), where: 

• N d{a)r = N D[A) UN R - {R init }. 

• n< -h(A) R =A init- 

• E D{A) R = Ed(a) U {n ^4 n'\n ^4 n' eE R and n / R init }U 
{A v i„ -p- n \n n e E R and n = R init }. 

• h{A) R = h(A) ~ {l( A vio)} U {/(«) \hENr- {R init }} U {l(A vio ) = I(Rinit)}. 

Finally, we have to define the rules about how the automata corresponding to different deontic norms 
are composed when we have a composition of deontic norms in our C-0 Diagram. To make this compo- 
sition possible, first we need to have only one ending node in the automata corresponding to the different 
deontic norms. Therefore, we add a new ending node in these automata and urgent edges from the old 
ending nodes to this new node. Notice that in the case of obligation and prohibition, if there is no repara- 
tion defined, the node violating the norm is a final node of the whole automaton construction where the 
contract is breached. In the case of permission, as no reparation is defined, we have that P(A) R = P(A). 

Definition 7 ( C-0 Diagrams Transformation Rules: Part IV) 

(7) Let D(A) R = (N D ( A } R ,no D{A)R , E D ( A ^ R , I D ( A j R ), where D £ {0,P,F}, be the automaton corresponding 
to an obligation, a prohibition or a permission in a C-0 Diagram, specifying a reparation R ^ e 
in the two first cases. The corresponding automaton with only one ending node, that We Call A fi na i 
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and preserves the violation, satisfaction and permission sets of the previous node, is D(A)' R 
(N D (Ay R ,no m , R ,E D{A y R ,I D{A y R ), where: 



N, 



D(A)' R 



N D{A)R U{A final }. 



• n . 



] D(A)' R 



n , 



'd(a)r ■ 



• E, 



'd{A)' r — E D(A) R U {Aikip >u A fi, la i} U < 



^ end 
^ end 
Afime 



Afi na i,R enc { 

A final lAime 
A final iR end 



^ final 
^ final 
ifinal 



if D = 
if D = P 
if D = F 



lD(A)' R = l D (A) R - 



Therefore, the composition of the automata corresponding to different deontic norms is defined by 
three additional transformation rules. 

Definition 7 ( C-0 Diagrams Transformation Rules: Part V) 

(8) If several norms are composed by an AND-reflnement, that is, we have specified the diagram 
(e,name,g,tr,CiAndC2And. . .AndC n ,e), their composition corresponds to a network of automata 
in which we consider all the norms we are composing in parallel. Let us consider ^1,^2, ... 
the automata corresponding to the norms we are composing. The resulting network of automata 
preserves the structure of the automata we are composing, adding to each one of them the ad- 
ditional nodes and edges necessary for synchronization ( these nodes are called Cmit and C final 
in the first automaton, Ci syn and Ci syn i ,i = 1 , . . . ,n — 1 in the other automata ). Before its initial 
node, each automaton synchronizes with the other automata and it synchronizes again after its 
final node by means of urgent channels (m\,m2,--- ,m n -i). In the first automaton we add another 
node C s kip if guard condition of the parent clause g ^ e and an urgent edge from Ci„u to this new 
node guarded with the guard condition negated ( —>g). In the final node of the first automaton the 
violation, satisfaction and permission sets are the union of the sets resulting in each one of the au- 
tomata running in parallel, so we have that Vfinal = V 1 U V2 U . . . U Vn, Sfinal = S\ U S2 U . . . U Sn 
and Pfinal = PI U P2 U . . . U Pn. If time restriction of the parent clause tr ^ e, we consider this 
additional time restriction in all the composed automata together with their own time restrictions. 
Let % = (N Vl , n ^ , , hg x ) , <*f 2 = (Nv 2 , n ^ , E<# 2 ,I^ 2 ),...,% = (N %1 , n QVn , E % ,I % ). Consider- 
ing the case where g / e and tr 7^ e, and having that E^*^^*, . . . ,E^ n * are the sets of edges 
considering time restriction tr together with their own time restriction, the resulting network of 
automata is therefore < ^ 7 *,- = (N^ ifn no Vt _,E^ 1fn I^^ i ), i=l,...,n where: 



Cinit 1 C 



init 1 ^ final i C s kip 
CisvniCjsvn' ; C/— Isyn ? Ci— Isyn' 



'isyn-, 
Ci—\syni 



"0« 



isyn' 

Ci—lsyn' 

if i = 1 
if i = 2, 



if i = 1 

if i = 2, — 1 
if i = n 



Ci Isyn j Cj isyn' 

Cinit Cskip, Ci n it 

ntj! 



• E<g*. = E<g. U < 



.,n 

m, ! 



Ci, 



Cifinal 
Ci—lsyn 



c 



final 
Cisyn ) Cisyn 1 



m;_r.< 



Ci isyn' 1 



Cisyn ~> C Unit -,C ifinal > Ci S y n ' 



III; 



i—lsyn r (-'Unit >*- ifinal ? ifinal 

• h H = 1% U {I in) =x<t2 + \\n£N % - {C ifina i}}. 



nii-xl 



if i = 1 

if i = 2, 
if i = n 
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(vhshp) 



Figure 7: Automata corresponding to the compositions of deontic norms 

This composition of timed automata is shown graphically in Fig. [2(A). 

(9) If several norms are composed by an OR-reflnement, that is, we have specified the diagram 
(e,name,g,tr,CiOrC20r . . .OrC n ,s), their composition corresponds to an automaton in which 
the automata corresponding to each one of the norms is considered as an alternative. Let us 
consider ^i,^,...,^, the automata corresponding to the norms we are composing. The result- 
ing automaton OR* preserves the structure of the automata we are composing, adding two nodes 
called Ci n i t and Cfi na \. We define an urgent edge performing no action for each one of the norms 
we are composing connecting Ci n j t with the initial node of the automaton corresponding to the 
norm and we also define an urgent edge performing no action for each one of the norm we are 
composing connecting the final node of its automaton with Cfj na i. We add another node C s yp if 
guard condition of the parent clause g ^ £ and an urgent edge from d n it to this new node guarded 
with the guard condition negated ( —>g). In the final node of this new structure we keep the violation, 
satisfaction and permission sets of the previous final node, so we have that Vfinal = V\\V2\ . . . \Vn, 
Sfinal = SI \S2\ . . . \Sn and Pfinal = PI \P2\ . . . \Pn. If time restriction of the parent clause tr ^ e, we 
consider this additional time restriction in all the composed automata together with their own time 
restrictions. Let <£\ = {N<g x , n 0wi , E<g x , hg x ),%, = (N^ 2 , ,E V2 ,I V2 ),..., c tf n = (N Vn , n 0Vn , E %i , I %n ). 
Considering the case where g ^ £ and tr ^ £, and having that E<g x *,E>g 2 *, . . . ,E<g n * are the sets 
of edges considering time restriction tr together with their own time restriction, the resulting au- 
tomaton is therefore OR* = (NoR*,no ORt ,E R*,IoR*), where: 

• Nor* = N Vl U Afe 2 U . . . U N %1 U {C inU , C final , C skip }. 

• n O R* = C\Mt- 

• E 0R *=E<g 1 *UEtf 2 *\J...[JEtf n *\j{Ci ni t > u Cunit, Cinit >u C 2 init,---, 

Cinit C n init\ U {C\ final C final 7C2 final Cfi na l,..., 

Cnfinal Cfinal} ^ \C%nit 'u C s kip\. 

• Ior* = /«i U {/(n) =x<t2 + l\n€N Vl -{C l fina i}} U hg 2 U {/(«) = x < tl + 1 1 n G A% - 
{Cifinal}} U . . . U I Vn U {/(b) = X <t2 + \\n£N Vn - {C nfinal }}. 
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This composition of timed automata is shown graphically in Fig. [71(B). 

(10) If several norms are composed by a SEQ-reflnement, that is, we have specified the diagram 
(e , name, g, tr, C\ SeqCi Seq . . . SeqC n , e), their composition corresponds to an automaton in which 
the automata corresponding to each one of the norms are connected in sequence. Let us con- 
sider ^\^2i ■■■ ,%i the automata corresponding to the norms we are composing. The resulting 
automaton SEQ* preserves the structure of the automata we are composing, adding just one extra 
node C s kip if guard condition of the parent clause g ^ S and an urgent edge from C\M t to this new 
node guarded with the guard condition negated (^g). We connect with an urgent edge perform- 
ing no action the ending node of each automaton in the sequence (Cifi na i,C2finah ■ ■ ■ ,Cn-i final) 
with the initial node of the next automaton (C2init iClinii ■ ■ ■ ,Cmnit)- This rule is not applied in 
the cases of C\M t (as there is not previous ending node to connect) and C n fi na \ (as there is not 
following initial node to connect). In the initial node of each one of the composed automata 
we preserve the violation, satisfaction and permission sets of the previous final node. If time 
restriction of the parent clause tr ^ e, we consider this additional time restriction in all the com- 
posed automata together with their own time restrictions. Let = (A^no^ j-E^,-/^),^ = 
(N^ 21 n^ 2 ,E^ 2 ,I^ 2 ),...^ n = {N<g n ,no Vn ,E<g n ,I<g n ). Considering the case where g^e andtr / e, 
and having that E^*,E^ 2 *, . . . ,E%> n * are the sets of edges considering time restriction tr together 
with their own time restriction, the resulting automaton is SEQ* = (NsEQ*,no SEQit ,EsEQ*,IsEQ*), 
where: 



• Iseq* = /«•, U {l(n) =x<t2+l\n€N Vl -{Ci final}} U hg 2 U {/(«) =x<t2+l\n£N<g 2 - 
{C 2f inai}} U . . . U/ % U {/(«) =x < t2 + 1 \n e N Vn - {C nfinal }}. 



This composition of timed automata is shown graphically in Fig. \7\(C). 
3.1 Implementation in UPPAAL 

The implementation of the NTAs we have obtained in UPPAAL is quite straightforward as both, the 
NTA formalism considered by the tool and the NTA formalism that we have considered, are very similar. 
There are only a few implementation points that need a more detailed explanation: 

• First, as there is no way in UPPAAL of directly expressing that an edge without synchronisation 
should be taken without delay, that is, there are no urgent edges, we have to find an alternative way 
of encoding this behaviour. For this purpose we consider the modelling pattern proposed in O. 
The encoding of urgent edges introduces an extra automaton, that we call Urgent, with a single 
location and a self loop. The self loop synchronises on an urgent channel that we call urg_edge. 
An edge can now be made urgent by performing the complimentary action. 

• The performance of actions by agents is implemented by means of boolean variables in UPPAAL. 
We define a boolean variable called agent _action for each one of the actions considered in the 
contract. These variables are initialized to false and, when one of the actions is performed by an 
agent in one of the edges, we update the value of the corresponding variable to true. 

• Finally, the violation, satisfaction and permission sets are implemented in UPPAAL by means of 
boolean arrays and constant integers with the names of the clauses of the contract containing obli- 
gations, prohibitions or permissions. We define an array V for violation, an array 5 for satisfaction, 




C% final Cninit ,C n —\ final C, 
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Figure 8: Online auctioning process C-0 Diagram and corresponding NTA in UPPAAL 

and an array P for permission, all of them initialized to false. The size of the arrays V and S is 
equal to the number of obligations and prohibitions in the contract, whereas the size of the array 
P is equal to the number of permissions. We also define constant integers with the name of the 
clauses containing obligations and prohibitions, initializing each one of them to a different value 
(from to the size of the arrays V and S minus 1), and constant integers with the name of the 
clauses containing permissions, initializing each one of them to a different value (from to the 
size of the array P minus 1). These constants are used as indexes in the arrays. When taking a 
transition where the target node contains at least one modified set (an obligation/prohibition is vi- 
olated, an obligation/prohibition is satisfied or a permission is made effective), we update to true 
in the proper array the value of the index corresponding to the clause. In the case of repairing an 
obligation/prohibition violation, the index corresponding to the proper clause in V is set to false. 



3.2 Example: Online Auctioning Process 

Let us consider part of a contract about an online auctioning process. It specifies that at the beginning 
of the process the seller has one day to upload valid information about the item he wants to sell, being 
forbidden the sale of inadequate items such as replicas of designers items or wild animals. We can 
identify in this specification an obligation, a prohibition and a real-time constraint affecting both norms. 
In the representation of this contract as a C-0 Diagram, that can be seen in the left-hand side of Fig. [U 
we have a main clause Check Jtem including the time restriction one day, denoted as ty. This main 
clause is decomposed by means of an AND -refinement, having on the one hand the clause with the 
prohibition, called Inadequate Jtem and denoting the action as al, and on the other hand the clause with 
the obligation, called Valid Information and denoting the action as a3. 

By following the C-0 Diagrams semantics, we can obtain an NTA corresponding to the contract. Its 
implementation in the UPPAAL tool can be seen in the right-hand side of Fig. [U having two automata 
running in parallel, one corresponding to the prohibition and the other one corresponding to the obliga- 
tion. Now we can take advantage of all the mechanisms for simulation and formal verification provided 
by the tool to model-check the contract specification. As this is just a small part of a contract, the prop- 
erties we can verify here are quite obvious. However, this verification process can be very useful over 
big contracts, verifying properties such as the violation of clauses when a time constraint expires, the 
possibility of satisfying the contract without violating any clause, etc. 

For example, in the current NTA we can check the property that if the seller takes more that one day 
(tl > 1) to upload valid information about the item, the clause Valid Jnformation is always violated. This 
property is written as follows in the UPPAAL verifier: 

Al.nl and t\ > 1 > V [Valid Jnformation] == true 

And we obtain that this property is satisfied. 
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4 Conclusions 

In this work we have developed a formal semantics for C-0 Diagrams based on timed automata extended 
with an ordering of states and edges in order to represent the different deontic modalities. We have 
also seen how these automata can be implemented in UPPAAL in order to model-check the contract 
specification, and a small example has been provided. 

As future work, we are working on several case studies in order to proove the usefulness of our 
approach to model-check the specification of complex contracts with real-time constraints. With these 
case studies we also want to check the complexity of the contracts we can deal with. Finally, we are 
working on the improvement of the satisfaction rules defined in [7 ] and their relationship with the C-0 
Diagrams formal semantics. 

References 

[1] R. Alur & D.L. Dill (1990): Automata For Modeling Real-Time Systems. In: ICALP, pp. 322-335, doiJlOTl 
|1007/BFb0032042l 

[2] R. Alur & D.L. Dill (1994): A Theory of Timed Automata. Theoretical Computer Science 126(2), pp. 183— 

235, doi jlO . 1016/0304-3975 (94) 90010^8) 
[3] G. Behrmann, A. David & K. G. Larsen (2004): A tutorial on Uppaal. Formal Methods for the Design of 

Real-Time Systems (3185), pp. 200-236. 
[4] ebXML: Electronic Business using extensible Markup Language, [www . ebxml . org] 

[5] J. Hatcliff, GT. Leavens, k.R.M. Leino, P. Mller & M. Parkinson (2009): Behavioral Interface Specification 
Languages. Technical Report CS-TR-09-01, School of EECS, University of Central Florida. 

[6] K. G. Larsen, Z. Pettersson & Y. Wang (1997): UPPAAL in a Nutshell. STTT: International Journal on 
Software Tools for Technlogy Transfer 1(1-2), pp. 134-152, doi jl0.1007/sl00090050010[ 

[7] E. Martinez, Diaz, G. & Cambronero (2010): Visual Specification of Formal e-Contracts. Fourth Workshop 
on Formal Languages and Analysis of Contract-Oriented Software (FLACOS 2010) , pp. 55-61. 

[8] E. Martinez, G. Diaz, M. E. Cambronero & G. Schneider (2010): A Model for Visual Specification of e- 
Contracts. In: The 7th IEEE International Conference on Services Computing (IEEE SCC'10), pp. 1-8, 
doi JlO . 1109/SCC . 2010 . 32[ 

[9] P. McNamara (2006): Deontic Logic. In: Gabbay, D.M., Woods, J., eds.: Handbook of the History of Logic, 
7, North-Holland Publishing, pp. 197-289, doi jlO. 1016/S1874-5857 (06) 80029^4] 

[10] B. Meyer (1986): Design by Contract. Technical Report TR-EI-12/CO, Interactive Software Engineering 
Inc. 

[11] J. C. Okika & A. P. Ravn (2008): Classification ofSOA Contract Specification Languages. In: 2008 IEEE 
International Conference on Web Services (ICWS'08), IEEE Computer Society, pp. 433-440, doi j 10 . 110971 
ICWS.2008.36. 

[12] C. Prisacariu & G. Schneider (2009): CL: An Action-based Logic for Reasoning about Contracts. In: 16th 
Workshop on Logic, Language, Information and Computation (WOLLIC'09), LNCS 5514, Springer, pp. 
335-349, doii lO . 1007/978-3-642-02261-6,271 

[13] Web Services Agreement Specification (WS- Agreement). j https : //forge .gridf orum.org/pro jects/| 
gr aap- wg/do cument /WS - Agreement Spe c i f i cation/en/7| 

[14] WSLA: Web Service Level Agreements, www.research.ibm. com/wsla/1 



